Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
Metrics
Affected Vendors & Products
References
History
Tue, 12 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Icinga
Icinga icinga Web 2 |
|
CPEs | cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:* | |
Vendors & Products |
Icinga
Icinga icinga Web 2 |
|
Metrics |
ssvc
|
Tue, 12 Nov 2024 17:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12. | |
Title | Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections | |
Weaknesses | CWE-295 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-12T16:44:01.713Z
Updated: 2024-11-12T17:06:41.572Z
Reserved: 2024-10-14T13:56:34.811Z
Link: CVE-2024-49369
Vulnrichment
Updated: 2024-11-12T17:05:47.848Z
NVD
Status : Awaiting Analysis
Published: 2024-11-12T17:15:08.250
Modified: 2024-11-13T17:01:58.603
Link: CVE-2024-49369
Redhat
No data.